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1  Introduction 

Some  unexpected  problems  in  the  semantics  and  logic  of  block-structured  local  variable'-' 
have  been  identified  by  Halpern,  Meyer,  and  Trakhtenbrot  [10.28].  The  usual  epo  base'd 
models  for  stores  and  programs  do  not  sati.sfactorily  model  the  stack  disci])line  of  bl. a  k¬ 
in  ALGOL-like  langviages.  The  simplest  example  involves  a  trivial  block  whirh  calls  a 
parameterless  procedure  identifier  P. 

Example  I  The  block  below  ts  replaceable  simply  by  the  call  P. 

begin 
new  x; 

P:  %  P  is  declared  elsewhere 

end 

It  is  easy  to  argue  informally  that  the  block  in  Example  1  acts  the  same  as  P.  Namely, 
since  .A.LC.OL-like  languages  mandate  static  scope  for  local  varial)les.  it  follows  that  P  has 
no  access  to  the  local  variable  x,  so  allocating  x  and  then  deallocating  it  if  and  when  the 
call  to  P  returns,  can  have  no  influence  on  the  call  to  P. 

A  similar,  slightly  more  interesting  example  illustates  some  of  the  features  of  the 
.ALGOL-like  dialect  we  consider  here. 

Example  2  The  block  below  always  diverges. 

begin 
new  x: 

X  :=  0,- 
P: 

if  contents(x) 

end 

To  verify  Examj)!*'  2.  we  note  that  the  definition  of  .ALfiOL-like  languages  in  [10. 2S]  imj)!i<’> 
that  the  call  of  P  has  side-effects  on  the  store  only.  viz.,  no  input/output  effects,  and  no 
gnto's  or  other  transfers  of  control.  This  is  es,s<'ntially  tlie  same'  language  Rc'vnolds  has 
called  the  'acssence"  of  ALGOL  [22]  without  goto's  or  jumps  .  In  i)articular.  the'  only  way 
the  call  of  P  in  the  block  can  fail  to  return  is  by  eliverging.  If  the  call  does  return,  tla  n 
>ince  the  contents  of  .r  equals  zero  immediately  before  the  c;dh  static  scope  again  imi)l:e- 
that  the  contents  will  still  be  zero  when  the  call  returns,  so  the  conditional  test  will  succeed 
ctiusing  div<‘rgence  in  any  ca.se. 


%  P  is  declared  elsewhere 
=  0  then  diverge  fi 


0 


Xote  that  these  arguinents  implicitly  piesiippose  that  P  is  a  call  to  a  declared  j)rocedure. 
That  is.  the  arguments  really  show  that  if  C[-]  is  any  closed  AL<:oL-like  program  context 
such  that  :•]  is  a  "hole"'  within  tlu'  sct)])i-  of  a  declaration  of  P.  then  C[Block  l]  ha.-  t'xactly 
the  same  ('licet  on  the  store  as  C\P\.  and  likewise  C'[Block  2]  has  exactly  the  s;nne  clfci  t 
U'  C  ,>h  ri.rij(  \V('  say  tlnit  the  1)lock  in  Ex:mii)le  1  and  P  are  oltsi  rriitiouaUji  ciivqrin-’it 
1 T  Al.‘ a)|,  hkc  contexts:  Iik('wis('  th<'  block  in  Example  2  is  Dliseiu'atmnally  congruent  to 

J  • 

On  the  other  hand,  if  P  was  a  c;ill  of  an  independently  coiLipiletl  "lihrary"  program 
evt'u  one  originally  written  in  Al.COI.-  which  did  not  share  the  memoiy  management 
im  chanisins  of  the  ALGOL  (’ompiler  insed  on  Blocks  1  and  2.  then  the  call  might  detect 
clianges  on  the  sttick  of  variables  like  .r.  ;ind  might  evtm  alt('r  the  contents  of  stack  ^■ariables. 
making  the  behavior  of  the  blocks  unpredictable.  Thus,  we  have  not  shown  that  the  Block  1 
is  .<tmartically  equivalent  to  P.  even  when  the  values  of  P  range  only  over  ALGOL-like 
i:)rocedurcs. 

Indeed,  the  congruences  of  Examples  1  and  2  are  not  semantical  equivalences  in  the  stan¬ 
dard  denotational  semantics  for  ALGOL-like  languages  using  ‘'marked"  stores  [12.9].  In 
such  semantics.  Block  1  aitd  P  are  only  equivalent  on  stores  in  which  tlu''  locations  "ac¬ 
cessible"  to  P  are  correctly  marked  as  in  use.  but  certainly  not  on  incorrectly  marked 
stores. 

Th(.‘  prctblem  which  motivates  this  paper  is  to  provide  mathematical  justification  for  the 
informal  but  convincing  proofs  of  ol>servational  congruences  like  the  two  above.  Following 
10].  we  approach  the  problem  by  trying  to  construct  semantical  models  of  ALGOL-like 
languages  in  which  semantical  equivalence  is  a  good  guide  to  observational  congruence. 
An  ideal  situation  occurs  when  the  mathematical  semantics  is  fully  abstract,  i.c..  seman¬ 
tic  equivalence  coincides  with  observational  congruence.  However,  experience  in  domain 
theory  suggests  that  full  abstraction  is  hard  to  achieve  and  may  not  even  be  appropriate 
1.13^.  Iud(’ed.  if  the  programming  language  in  question  suffers  design  weaknesses,  it  may 
bi'  necessary  to  modify  the  language  de.'-ign  to  match  a  clean  semantics;  this  is  an  imj^or- 
rant  message  of  [20].  for  examj:)le.  In  this  paper  we  describe  several  semantical  models 
hich  aro  full}'  alestract  for  various  ALGOL-like  sublanguages,  thcjugh  not  fo!  the  full  ramte 
of  Al-i  ;(M.-lik(’  featuia’s. 

In  rhi''  pr'  linhnary  pa])er.  we  omit  a  precise  definition  of  full  syntax  and  features  of  Al.GOI.- 
lila-  langnaiics.  ex|)erting  that  the  (’xami)les  below  will  be  fairly  clear  without  formal  defini¬ 
tion.  If  is  la'lpful.  as  explained  in  [5.22.28.10,19].  to  regard  tlu'  "true"  syittax  of  ALftol.-like 
langnagf's  as  the  simply  ty])ed  A-calculus  over  the  base  types  : 

Just  it’ :  0,  ■  .  , 

Lor.  Val.  Locf  jp.  Va.lrj]).  Pray  ; 

[  Dlalrl  t'.lt  ;  u;;/ 
^  A\it  i-b'U  ttv 

3  f  \  Avail  a 

)  Dial  i  Spaol;: 


memory  location.'*.  st<'rabli'  value.-*  locafioti  rhunks.  \’alu<'  tiumlis  ;,;nl  . . . 

The  eau-uhis  iias  tixed  point,  conditional,  and  otiier  comliinator.-^  .‘^uit  .a:  i!«'  ioi  mt.-i;  ■'•'.■..‘.i 
'[.(•  jL-like  jihrase  con-^tre.ctors  sticl;  '>'^‘dy,mnents  or  i-ommand  ']u.  i,  :i,n.  '  ne 

)i(r;.',al  .AlOCil.  diaa'cts  in.-^-rirt  the  i  j 'loci  chare  tN'pea  all  ca'a>  ai<'  ■  C  tnjn  J'lni;. 

■  :  .  M'tnrn  nothinc;.  and  ex'diide  pc.r.nuetors  of  type  Locfr}!  and  I’.'''  ■ h. 

.'  ^iia  lia\'e  little'  edee't  <,n  our  resnlt-. 

2  The  Usual  Cpo  Based  Models 

■'  >:  '  ■ ‘  .'  .1 '  Ids  must  he  ciimj),,  iatioiialh/  >  u ah  .  i.t...  t la-y  mu^t  itni  ee  wid;  t  .a  u  ;  m  ;,a  d. 
U'. I  seuuiiit ICS  ( ( opy-i  !.i<  m  the  c  a ■  a  A 1.*  .Ol.  I  ti,i''.’ini;.  the  rompi n  at  i.  jua  1  in  . ..; cu 
■  I’, 1 1.<  t ' 'iy  deehired  progi  am  hlock"  in  :  Jiy  adequate  semantics,  si-iutmtii'  ■  ah  i.ai 
an;  lies  ohseia-ational  congruence.  Th<‘  usual  cpo  based  mode'l.s  are  sari-factory  in  this 
l>'s;  a'cf . 

for  exampli'.  a  typical  cpo  based  "marked  store"  modt'l  takes  the  bast'  type  represent im; 
locations  To  l)e  Locx.  the  flat  c[>o  over  ti  countably  infinite  set  Loc.  and  the  ba-e  type  of 
stoiabJe  \-a]u<>s  to  be  Val  i  for  some'  set  Val.  Let  Siore.*  =  (Lo^.-UVul)  x  'P;i„i  Lo*  i.  c.iieri' 
A-  -li  lenoTns  the  set  of  all  total  set-t heoretic  functions  from  sot  A  to  S('t  D.  and  P,.„IA> 

■  'h  j..  ’fs  Av  set  of  all  finite  subsets  of  A.  The  intention  is  that  when  {c.ni)  €  Stoh.^.  the 
,’i  ^  Luc  denotes  the  marked  locations  and  c{l)  6  Val  gi\'es  the  ctrnteiifs  of  loc'.ttion 
h  Li”  'l.e  l)ase  type  \alexp  of  t'ahie-thnnks  be-  int<'rj)reted  as  Stores Val  i.  jiaitialh 
c.  a  n  d  wise:  similarly  for  the  hasu  type  Lonx]}.  Let  tlu'  base  tyj^e  Proq  of  lu-oiiranis 

hi  .--tuV)  ■*  ■~Stiir(s.  where  denotes  the  sot  of  all  set- theoretic  ])artial  functions  partialb 
inh'ieil  un.ier  containment.  Each  of  these  ha.se  types  i.s  now  a  cjio.  and  we  inteiprrt  hiirhei 
.  i  ■  'i  hke  functional  tyjies  by  taking  tlie  ron/iri  iioa.<*  functions.  Then  we  may  summari/e 
'.'ii'  ;i;M  odnetory  discussion  hy: 

Ihooi'ein  1  The  "niark'fd  tton.-*  <  pD  l-n.-fid  rimdil  far  fin  .A  i.i  a  i !. -/da  iamquniji 
'■  h-'.  hs  //'  Air  laiiguapf  Reijliold.*  call-*  th>  -r.-t.-irrir,  of  A\.(.h>l_’'  ’d2d.  -rifharl  fiafa'.  ar 

'ic'.j  .,  i-i  (■■ii/ipitfationcllii  adrqaatf  hut  vot  fiilhi  oh.ifrarf, 

I"  ■<ii".  a-ithaiit  local  vn.riahle.-t.  the  siinjiler  "continnous  sTores  model  in  whii'h  S'an.^  -- 
'  sl(/d-  Valrxp  -  Store.*— tVaP.  similarly  for  Lnrrj-p.  and  Proi  -  Stori.<~* 

"■■■.'h  •  doii.jOn  total  continuous  iunctl.ius.  is  fully  abstract  aftei  one  n  jodi  f;.  a  t  :on , 

'  c'-  r  !  T 'a -oi:-  whi'-h  will  be  cl<  ai  i  o  n-a.  let-  fain  ilia  i  wi  t  h  'llida  "ptuaih'  a-  s,,;n 
•  ■  •  •  ’  u  V  *  1  .,1  I  -•  V  1/ 1  ^  )  ■  VI,'.  ^  iiiU't  III'  ai  Idi  (1  to  t  la '  la  i )  c  '  i w!  i'  i ' 

■|Vd.e)  r-  ].  vie.  I)  -  1. 

''VKhO)  ■:  (I,  Vi  ...  i  :  . 


1 


>'  (i  it  1  ^  -L  and  all  /■  c  1 'a  ^  . 


riieorain  2  Tht  ,tnti}ii  itoii,*  <tiin  imxlii  for  Iht  Uniiinaqi  Pn<)<;,  wirliout  ihr  new  loin! 

ih  1-1,1  (iriil  with  n  n  (lihUiuttiiil  \/ -romb/jiafor  i.<  rnrti  ji  iii  at  lo  lui :  ’  :j  a  il  i  q  ii  <i  1 1-  uud 


that  Exaiupic  2  inakas  it  alaar  tliaf  the  marked  stnre  model  i-'  still  not  fully  ah'tiaet 
t'M  ti  v.'irii  tilt'  mldition  of  jlV.  Tims.  Theorems  1  and  2  ronlirm  that  local  \-analil<'s  ar<‘  x 
'-niirce  (if  . i iiiicrdty  in  tliis  approach.  WV  remark  tliat  altlioii.t^h  Theoii'm  1  has  nearly  ilie 
'Nitii'  ( c’  a,  folk  theorem  ii.  domain  tlieory.  we  know  of  no  puhlished  jtiooi':  our  own  jiroof 
tohow  -  Mil-  CMiiiptitahility  method  applied  to  the  functional  l;mfr,ua.i>:e  PC'F  in  /2l)  .  Our 
pioot  ,  •:  rifoiem  2  tiytiin  tipplies  the  results  of  '2(1  :d)out  definability  of  ■■finite"  element> 
to-ethi'i  \'/i'n  some  folk  theorems  contK’Cting  Chtrke's  restricted  Al,' iol.dike  lauyuau,e  I.  i 


2.3o  ami  iuuher-ordt'r  recursi\-e  function  scheme.s  Id.Sb 


3  Halpern-Meyer-Trakhtenbrot  Store  Models 

lo  litmdle  Examph'S  1  and  2,  Halirern-Meyt'r-Trakhtentrrot  proposed  a  formal  definition 
of  the  Mijiporf  of  ;i  function  from  Store;*  to  Store.-*.  Intuitively  the  sujiport  of  a  store 
t rtnisfornnition  ]>  is  the  set  of  loctitions  which  p  can  read  or  write.  In  the  HMT  store 
model  10  .  Prog  is  taken  to  be  the  .set  of  p  witli  finite  support.  To  I'nodel  local  variables, 
the  notion  of  suiiport  is  extended  to  the  type  Lor  — »  Prog  of  block  bodies  regarded  as  a 
function  of  their  free  location  identifier.  The  semantical  space  used  to  interpret  such  block 
boily  funenous  is,  again  restricted  to  be  the  elements  in  Loc Prog  with  finite  support. 
.Suici'  rill  re  are  an  infinite  number  of  locations,  this  restriction  guarantees  that  a  location 
c.'.n  br  fii’.nd  which  is  not  in  the  support  of  any  givtui  block  body.  TIk'ii  local  storage 
;i!ioc;ira  i;i  for  a  blocl<  begin  new  .r:  body  end  is  (uni<iuely)  determined  by  the  ride  that  ./■ 
be  miuia!  to  liny  location  not  in  the  support  of  th<'  function  di'iiotial  by  ,\  .r .  had  y . 

riiU'  the  H.M  I  model  justifi<'s  t h<'  conclusion  th;it  Block  2  di\^erirc^:  if  P  dtuiotes  some 
'rari-  •  ra :  i 'torma f  ion  p  G  Prog,  then  any  location  /  ^  .*up]iort{  p)  can  be  bound  to  ,r.  This 
pro\c'-  d;\'i'rc''m  <’  of  the  block.  Itecause  />  by  definition  ctumot  chtinge  tlu*  contents  of 
I'lc;  tiii;:.,  onr^iiii'  its  supjxirt. 

1  lie  di'tu.i'ion  ot  supiiort  for  block  body  functions  retiuires  another  ingredient:  locations 
winch  til  l  ■'reci  in  ni/ed  by  t  he  block  body  even  if  they  ;ue  neit  her  read  nor  written  -must 
1 "  ciitmti  d  III  the  siippiirt  of  the  Ithick  body.  Thus: 


Example  3  The  blocks 


begin  new  .r;  new  y:  .r  :=  0;  y  ;=  0:  Q(.v.  y)  end 


begin  new  x;  new  y:  x  :=  0:  y  :=  0;  Qi  f/.  x  )  end 
(U't  HMT  I  quivalent. 

Tht’  argument  for  equivalence  of  the  blocks  got's  briefly  us  follows.  Let  tj  £  (  he.  ^  > 
)—*rriiq  Ire  the  meaning  of  the  procedure  identifier  Q.  Tlie  definition  of  lora!  ',;uial>!( 
ailorntion  in  the  HMT  model  implies  that  ,r  and  y  can  lie  bound  in  the  Ijody  of  .  ifh.  ; 
i^loek  to  distinct  locations  L./y  ^  fupport(q).  By  definition  of  suirport,  ry  caimot  leecnio  ', 
locations  not  in  its  support,  treating  them  in  a  tmiform  way  ( r;/.  A])i)eudix  A  i.  ."o  'he 
■'tore  transformations  q{lx.ly)  and  q{ly.lx)  agree  on  all  stores  s  with  s(/:,  i  wh"'' 

re'itnerions  to  .^uppoTt{q)lj{lz,ly}  are  the  same.  Since  confc7it.*l  \  o 

wiifu  the  block  bodies  begin  execution — and  stack  discipline'  specifies  that  tiie  roi.u  ut- 
are  restorcl  to  their  original  \'alues  on  deallocation-  it  follow^  that  botii  bloeks  defiia-  th> 
'.'ime  store  transformation  as  qili.ly)  restricted  to  .support ( <7 ). 

The  HMT  store  model  was  claimed  to  be  computationally  adecpiate.  but  not  nerc'-sarily 
ftdiy  abstract.  Its  successftil  handling  of  Examples  1  3  is  a  consequence  of  the  fullnwing 
‘j,en(‘ral  result  about  the  "first-order”  ALGOL-like  sublanguage  without  gn/o's  and  ptmj>s. 
in  which  procedure  parameters  are  restricted  to  be  of  type  Val  and  Loc  (essentially  the 
language  considered  in  [6]). 

Theorem  3  The  HMT  .‘ifore  model  is  computationaUn  ndeqiiatr.  for  all  AlX'<()\.-likt  Ian- 
i,'niii;r  ft  Ilf  an. ■<  other  than  gotob  and  jumps.  It  t.s  fully  abstract  ivri  to  the  "Jir  st-onh  1" 
tihi <1 1:  ya a qr  with  an  additional  \\\/ -comhinator. 

\\f  leiuark  here  that  we  have  been  generous  in  our  reference's  to  the'  HMT  store'  moile'l 
' -e  l  ibed  in  [10],  since  in  fact  the  construct ieen  sketched  there  contains  a  seriems  te.-dme-.  ' 
e  rreir  neetcel  independently  by  the  second  author  and  A.  Stoughton.  In  .\i)ja'iKli.\  .A  we- 
le  jeieu  this  ('rror.  and  moreover  develoj>  a  methodology  fen'  constructing  imiu'e)\e'd  mexlel 
'la-e  el  on  the'  notion  of  locally  complete  part i;d  orders  (Icpo's).  Thus.  The'eaem  3  o  fev-  'e> 
th'  e'orri’e  fe  el  HMT  store  model. 

e  i;o',e.  e  eiiiside-r  souie  se'Coud-eM'fler  example's. 

Extemplo  4  The  block  hrlow  a.lv’ay.i  diverqe.t. 


new  .r.  new  y: 

procedure  Twice:  begin  y  :=  2  *  contciit.'ii  y)  end; 

.r  —  0;  y  0; 

Q(  Twice);  %  Q  I.*  declared  elseiaherc 

if  coritc7iU{.r)  =  0  then  diverge  ft 

end 

Two  additional  reasonine;  principles  about  support  which  hold  in  the  IIMT-niodel  [cf. 
Appendix  Al.  arise  in  handlinp;  this  example.  First,  in  reasoning  about  i)rogram  text  in 
the  scope  of  a  local  variable  declaration  new  .r.  we  may  assume  that  the  value  of  .r 
any  comenient  location  nut  in  the  sui)i)ort  of  (the  values  of)  each  of  the  free  identifiers 
in  tli('  scope  of  the  declaration.  Second,  we  always  have  support(Q[P))  C  support[P )  U 
.*uppnrt{Q).  Xow  clearly,  support(  Twice)  —  {y}.  Since  x  is  free  in  the  scope  of  the  new  y 
declaration,  the  first  principle  applied  to  y  implies  that  x  and  y  denote  different  locations, 
so  r  ^  3uppori{Twice).  Since  Q  is  free,  x  ^  support{Q).  By  the  second  principle,  we  may 
now  assume  x  ^  support(Q{Twice)).  Hence,  we  may  reason  about  the  call  Q{Twice)  in 
Extunide  4  exactly  as  we  did  for  the  call  P  in  divergent  block  of  Example  2. 

Unfortunately  the  HMT  mod«d  does  not  handle  all  examples  with  second-order  procedures, 
as  the  following  elegant  counter-example  pointed  out  to  us  by  A.  Stoughton  makes  clear; 

Example  5  The  block  below  always  diverges. 

begin 
new  x: 

procedure  Add_2  ;  %  Add_2  is  the  ability  to  add  2  to  x 

begin  x  :=  contents(x)  -|-  2  end 
.r  :=  0; 

Q(AddJ2):  %  Q  IS  declared  elsewhere 

if  contents(x)  mod  2  =  0  then  diverge  fl 

end 


riiv  block  in  Example  5  does  not  diverge  identically  in  HMT  because  Q  might  denote  an 
clement  y  fi  Pray^Prog  such  that  q{p)  is  a  program  which  sets  to  one  all  locations  writable 
by  /),  Such  a  q  exists  in  the  HMT  model  because  it  is  continuous  (in  the  HMT  sense,  cf. 
.Ajipeuflix  .4)  tmd  has  empty  support.  However,  Block  5  is  observationally  ecjuivalent 
ro  ihi'cryf.:  Q  has  no  independent  access  to  the  local  variable  J,  so  the  only  ability  the 
pioyi  am  (Ji  Add .2 )  hits  relative  to  x  is  the  ability  to  increment  its  contents  by  two.  Since 


con  j- )  is  an  even  integer,  namely  zero.  I.)<‘f('re  exeeution  of  tlii>  progi  am .  it  will  ^till 

be  evvn  if  and  when  the  program  terminates,  so  the  conditional  test  will  sncceed  and  can-c 
divergence.  Tluis  we  have 

Lemma  1  Black  5  is  observationally  congruent  to  diverge,  but  not  eqiinl  to  du'i  'ijf.  ui  da 
HMT  store  model. 


riieorem  4  The  HMT  model  is  not  fully  abstract  even  far  Pltoo'  piogram.^  mho.-i  prorr- 
ditcc  calls  take  parameters  only  of  program  type. 

Till'  failure  of  full  abstraction  for  the  HMT  store  model  is  particularly  inreresring  ])n’cist‘ly 
lue(  ause  the  model  is  a  good  one.  In  particular,  the  various  rvilos  and  systems  propo.sed 
in  the  literature  for  reasoning  about  procedures  in  ALGOLdike  languages  are  all  sound  for 
rhe  HMT  model  (insofar  as  they  are  sound  at  all,  cf.  [14]).  It  follows  that  the  divergencr 
of  Block  5  (and  perhaps  Block  4  too)  is  independent  of  the  theorems  i)r()vable  from  other 
proof  systems  in  the  literature  including  [2S, 10, 25, 17, 1C. 11, 24],  Reynolds'  specihctition 
k)‘j;ic  [21.23]  is  shown  in  [20,27]  to  be  intuitionistically  sound  using  a  functor  category 
'-emtuitics:  it  is  not  yet  clear  how  the  semantics  and  logic  of  [27]  handles  these  examjdes. 

4  The  Invariant-Preserving  Model 

In  e,rder  to  handle  Example  5  vee  must  know  that  every  procedure  Q  of  type  Proq  —  Proq 
preserves  invariants  outside  its  support.  This  is  expressed  precisely  I.y  the  followii,g  rea- 
■'oning  itrinciple  ; 

Let  Q  l)e  of  type  Prog—*  Prog  and  P  of  typ<'  Prog.  Let  r  be  :t  luoperty  of 
-tores  such  that  support{r]r\support((})  —  0.  If  r  is  an  invariant  of  P.  thi-n  r 
i-  also  an  invariant  of  Q{P) 

I  111  -  i)rinciple  implies  divergence  of  Block  5  !>erau,se.  huting  r  Ix'  ddined  by  formula 
ro/Prnt.n  .r )  mod  2  =  0.  we  see  that  support(r)  =  {.c}  and  r  is  an  in\-ariant  of  Add  . 2. 
lu-lde  the  block  we  may  a.ssume  that  .r  ^  support{Q).  and  so  the  principle  implie-  tlmr  r 
is  also  an  invariant  of  Q{Add-2).  Thus,  the  conditional  test  following  the  call  Q(Add  .2  < 
wili  -ucceed  leading  to  divergence. 

1  i.e  abo\-e  rea.soning  principle  is  valid  in  the  Invariant -Presf-rving  tnodf'l  {  rf.  .Apjx-iidi.v  .4  i. 
.4cf  ually  all  th<’  previous  examples  are  handled  successfully  by  this  model  as  a  ci  .n-e-jnence 
ot  the  following  gener.al  result. 
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All  Al  I '.OL-like  ti'riu  said  to  Vx-  cJo.^td  iff  its  only  iicc  ulniititifis  air  of  tv])!'  Lac.  A 
semantics  is  said  to  Ix’  lialf-fiiUy  abstract  for  a  language  iff  semantic  etpialii}’  Ix'tweeii  two 
terms,  one  of  ichtdi  clostd.  coincides  with  ohser\’ational  congriiPiice, 

DeHne  the  l  .\S('.AI.-/;i'e  suhlanyuage  tiy  the  condition  that  proccflure  pa i  : ‘.meters  ar<’  re- 
'tiicted  to  tx'  of  tvjx-  Val .  Lor,  or  VaV'  X  Lor’"  Pro<;  i  ('sst  ntially  the  langnaxe  consideied 
in  kj.lfi''. 

'I'lieorein  o  7/n  In  rariaiit-Pii.o  rrini  Moilili.<  roni  putafitni  allii  ad<(iuai<  for  ihrjnl!  r<ir:t;i 
“'W  I  >  a  M.-'/ia  Ii:  n  in;(  frni  iirrs.  \V)ih  an  a  il  il  }f  i  on  a  I  ‘‘J -ronihni  at  o  > ,  if  is  J  illy  nh.-i  inrf  j,ir 
'-n  r  '  !  n  ’  u  ri  <1 'I  I!  y  anil  is  ha.Ij-failii  ahs^rinl  irrf  to  flu  l’AS( 'A  I.  -  sn’di  injiiniji  . 

sn.ce  t.xample  3  mvoives  ohservatir>n:d  congnumce  to  a  closed  term  which  ident;cahy 
.1  mo.  the  Invariant-Preserving  Mode!  handles  it  as  well  as  the  following  sliehtiy  more 
'Ojiiiisticatisl  \-ari;int.  (Note  that  the  test  r  =  .r  Ix  iow  imlicates  ec^uality  of  locations, 
nnlier  than  their  contents.) 

Example  6  The  hlork 

begin 
new  .r: 

procedure  Almost  Add -2  (z): 

begin  if  z  =  x  then  r  :=  1  else  r  .=  co7itent.<(x)  +  2  fi  end.- 
,r  :=().■ 

P{  Almost AihP2  ).’ 

if  ronit  nts{x)  mod  2  f)  then  dim  njc  fi 
end 

iilii'ajjs  d:  re  ryes. 

rhi'  folic, wine  example  illustrates  failun'  of  full  abstraction  in  the  Invaritint-Pre.seiaing 

Model: 

Example  7  Tlu  hlork 

begin  new  .r:  procedure  :  begin  .r  :=  cea/.cut.«(.r )  +  1  end:  P(d'/d-Z)end 

IS  n‘isi  rmitioriallii  ronqru.ent  to  the  hlork 

begin  new  /  ;  procedure  dt/<Z-/Z:  begin. r  :=  rov.ients(x)  A  2  end:  P{  Add  .2)  end 
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T::''  ult'M  i<  rliat  since  P  has  no  iiulepi'iulent  access  fo  ./•.  ;ni<l  ^inci'  :Ts  actnal  ;i;i::,::a  n 
11:  Exainph'  7  '1<.)  not  enathe  P  to  rcail  CDuti^iiU'  .r  \ .  tlie  proceilure  calls  P'A'I'!/.  ■  .c.e 
P  A'idPt  lii^'er  onl}'  in  their  otfc'ct  on  x.  Sinc<"  x  is  deallocareil  on  hloch  exit,  tia  t 
.ie.c'.i'  are  ohservationally  ecinivalent.  Neverthc  less. 

r,pninia  2  T/o  V\si' hlmk.*  in  Exmnjiir  7  >i  n  iih.<rrratinii,ai  ii/  cnujnK  nt  nn:  /  .e 
sf  ■■  i,e"//ci;//v  iqiLivalfiit  in  the  In  nnninit- Pre.^irnin ,)  M,)ili!. 

r 1'.  ’ill  'll'  inner  j)i  oof  jirinciples  t  him  preserr'ar  ion  <  if  iinarr  nf  -  are  nee<  led  tc  i  t.  a  ma 
la'*  oh'crvat ional  conni''ien<'e  argument .  The  reatlt’r  in;.}'  care  to  iii'.eut  one. 

5  Conclusion 

i.a'.'e  seen  a  s(‘ries  of  simple  examples  illustrating  how  t>)  leason  ahout  lnh.ick  struicr.; .  , ; 
•■a;;a7a's.  .Most  of  these  principles  have  nerer  been  stafeti  in  the  literature,  let  alone  be  en 
•i;o'  I'd  'ound.  To  establish  soundness  we  constructed  a  series  of  models  for  Aieioi.-hhe 
laiai'iaue.',  Tiic*  formal  machinery  for  constructing  the  models  lia.sed  on  Icpo’s  is  sketched 
in  .Ap]V'ndix  .A.  It  merits  detailed  discussion  which  vo  have  had  to  forego  here.  TIk'  ln'st 
';f  incidels  is  still  not  fully  abstract  for  PASe'.A L-like  suldangnages.  but  we  are  working 
"1.  .  pit  lof  that  >iur  methods  will  extend  to  this  case.  We  see  no  reason  why  our  apjnoach 
'iiti’ih!  ii'.it  I'Xteud  to  the  full  range  of  ALGOL-like  features,  but  it  would  be  ])remature  ti.i 
.•on;'''  tin e  that  full  abstraction  can  be  achieved  this  way. 

i  )!'■-  aiai  Ret'nohls  [22. IS. 19'  have  also  developed  mo'lels  of  .A.l.(.;OL-like  languages  using  a 
■a.n  coiical  framework.  They  do  not  considc'r  computational  adt'quacy  or  full  abstraction 

.  -  '  •■.ph'-it  issues,  Tenneiit  has  infftrmed  tis  in  private  communicatioti  that  his  x'ei-siuii 

-7  ‘  'ic  rh  ynol'ls-Ctles  functor  category  semantic,-,  corrci-tly  handles  Examples  1  ainl  2. 
I  .'  <  <  on.pari'on  between  tledr  ajtproach  ami  ours  has  yet  to  b('  worked  out.  Actual!}'  oui 
;  a.'i.  can  also  lie  seen  fiom  ;t  category  th<'or''ii''  \'i''wpoinf  an  Icjio  is  a  fuucior  fi'in.i 

:  '  ’nbii;,'  ..I'lered  index  set  to  the  category  of  ''jio  s.  ami  the  loc.-dl}'  continuous  tuiicrious 
O'  -'.n.'.iar  oi.  but  not  exact!}',  nafnial  f ransformat ions  betwf'en  sui'h  functors  lap  'h';- 
'■  na'.'i'  not  foeuid  this  viewpoint  atlvaiitagedus. 
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A  Appendix.  Locally  Complete  CPO  Models 

F"’.  epo  s  A.D.  \vt'  wiitf  A  <1  n  to  indicate  tliat  A  is  a  strict  snb-epo  of  D.  i.t..  .4  is  a 
snb-epo  of  B  and  ^  -d- 

Dc'finition  1  Lrt  \I.<i  a  ihrtvAfd  sti.  An  I -Ic.po  is  a  partially  ordtrad  scf  D  =  u,^/ A 
n'o’  (Icnitni  Ao.  ii'hrrr  D  rt.<tricte.d.  to  D,  is  a  cpo.  and  D,<Dj  whenever  /  <  j. 

Ir  lollow-  from  this  definition  that  —  Ap  for  every  i  G  I. 

Definition  2  Let  D  and  E  he  I-lcpo's.  For  f  :  D-^E,  let  denote,  the  restriction  of  f  to 
D,.  and  define 

(D^E),  =  {/  :  D-^E  I  /,  G  for  all  j  >  i}. 

Then  D-^E  —  E)i  is  called  the  set  of  locally  continwons  functions  from  D  to  E. 

Lemma  3  D-^E,  partially  ordered  pointwise,  is  an  I-lcpo. 

Lemma  4  Every  locally  continuous  function  on  an  I-lcpo  D  has  a  least  fixed  point,  which 
is  characterized  as  usual. 

Definition  3  Let  D  be  an  I-lcpo  and  i  G  I-  An  n-ary  relation  R  on  D  is  called  i- 

adniissilrle.  if  R[cl . cl]  holds  for  every  d  G  A,  and  the  restriction  of  R  to  the  cpo  Df  is 

till missible  for  every  j  G  I- 

Definition  4  A  tag  set  over  I  is  a  set  K  such  that  every  k  G  A’  has  an  associated  number 
n;,  >  1,  and  downward  closed  set.  dov;n{k)  C  I. 

Definition  5  Let  K  be  a  t ay  set  over  I .  -4  A’-relationally  structured /-fepo  ("s/iorf;  [I.K]- 
repoj  js  an.  I-lcpo  D  with,  far  lach  k  G  K.  an  Uk-ary  relation  Rk  on  D.  such  that  Rk  is 
!  -  cdnns.iiiih:  for  every  i  G  doam(k). 

Foi  R  y  D'  .  5  C  E"  rve  let  R  —f  S  denote  the  lifted  relation  on  D-^E  defined  by 
I  A  -*  5)i/i . /„ ;  iff  Vf/, . f/„.  R{di . d„)  ->  S(/i(di), - /ulA)). 

D(‘finition  G  Let  D.F  he  { I .  K ) -repo's.  For  every  i  define 

'D^F\.  ~  {/  G  ID--E),  \(Rk  )(/,..., /)  whenever  1  G  dou'n(k)]. 

7 'o  n  D  t  —  \J,r-  il  D-h  E ),  IS  railed  the  set  e/ relation  preserving /tinct7e7?s  from  D  to  E. 


’.M  "ji  •  Ji  "jnm  nil  "J*  *■>  f‘jr^XT\jr*>  njt  "■>  ->  v j-  '>  '■>  ~ 


Lemma  5  D^E,  •partially  ordered  pointwise  arid  K -relationally  .^trnctuitil  by  ;  fin-  /<  - 
.^inciu/ns  of)  the  lifted  relations  =  (i?jP  — >  Rf  ).  an  {I.  K)-rcpo. 

Theorem  G  The  category  (/,  7v)-RCPO,  whose  objects  are  [I .  K  )-rcpo's  and  udin^'  I'nn- 
phisrns  are  relation  preserving  functions,  is  Cartesian  clo.<ed.  Hence,  if  rvi  ry  ground  ^i/jn 
i.<  interpreted  as  an  [I .  K)-rcpo.  and  i$  defined  inductively  to  be  then 

{D']  IS  a  model  of  the  simply  typed  \-calculus.  In  this  model,  the  meaning  of  an y  jnnr 
X-ttrm  of  type  r  is  contained  in  D)  for  all  i.  Hence  there  is  a  IcaM  fixed  point  o-pi  rutor 
for  tach  type  r.  which  is  contained  in  for  all  i. 

Lemma  6  Let  {7)’^}  be  an  rcpo-model  as  in  Theorem  6.  Then  Rl{cl . d]  holds  for  all 

d  G  D)  whenever  i  G  down{k),  and  ifi,j  <  h.  then  C  Dfi  for  all  types  t\.  r,. 

A  fii'sr  application  of  Theorem  6  leads  to  a  repaired  version  of  the  Halpern-Meyer-Trakhrcnl'rot 
model.  Namely,  let  Perm(Loc)  be  the  set  of  strict  permutations  /:4  ;  Loc. ^—^Loc and 
for  every  p  6  Perm(Loc),  let  Fix{fx)  denote  the  set  of  fixed  points  of  ji.  Further  let 
.sfiirrs  =  Loc.EfYal,  and  for  every  L  C  Loc.  lot  =i  be  the  binary  relation  on  Storc.n_ 
dehned  by 

^2  ift  Si  =  i.  =  .$2  V  (S)  7^  ±  7^  ,S2  A  V/  G  7.  .S]  (/)  =  / ) )  . 


Definition  7  Let  I  =  Vfi„{Loc).  Let  K  =  Perm)  Loc).  and  for  every  fi  G  K.  let  //,.  =  2 
lied  downi/i)  =  {£  I  7  C  Fix(ii)}.  Then  the  HMT  Store  Model  is  defined  by  ground  type 

Irpo  s 

D]"  -  Val^. 

D[  =  7u{Ti,a, 


=  {.f 

Stores— r  Valx.  |  Vsi 

fr 

II 

.)  =  /(--2)}. 

Dl' 

.r,  ^ 

Stores-^ Loc X  |  (Vs 

.  .fis 

)  G  7U{Ti.,.}  ) 

A  Vsi.S2.  Si  .'2  =^' 

D',: 

=  {.f 

Stores -E  Stores X  | 

(Vs. 

f{s)  fi  T  =>  s 

=  1..-,C-L  f (■-<))  A 

Vsi,  sj.  S]  —1  sj 

/(si  )  =/.  /(S2)}: 

>  Inti 

III  II (lily  structured  by 

iff 

<’i  =  f'l- 

*ir 

k-ih)  =  (21 

^ff 

Vs.  /i(s  0  // , 

=  his)- 

^ff 

Vs.  /i(s  0  fl  ) 

K"nfw.f,) 

^ff 

Vs.  /|(  S  0  //) 

=  hi-fi  0  fl. 

By  Theorem  6  this  defines  a  model  of  the  simply  typed  A-calculus.  It  turns  out  that  for 
every  element  d  G  D"  there  is  a  smallest  set  L  such  that  d  £  D^.  This  set  L  is  called  the 
support  of  d.  Theorem  6  then  implies  that  all  pure  A-terms  have  meanings  with  emi)ty 
support  and  Lemma  6  implies  that  suppoTt{di{d2))  C  support{d\)  U  support{d2)  ahvar’s 
holds. 

The  definition  of  the  model  captures  several  aspects  of  support  mentioned  earlier.  In 
l)articular  for  every  element  d  of  type  r  in  the  model,  R1{d,  d)  holds  by  Lemma  6  whene\-er 
supported)  C  Fixii-i ).  This  expresses  the  “uniformity”  of  d  on  locations  outside  its  support, 
which  was  important  in  Example  3  and  is  crucial  for  defining  the  semantics  of  the  New 
combinator. 

Finally,  the  "intended”  interpretations,  namely,  interpretations  which  guarantee  compu¬ 
tational  adecjuacy,  must  be  proved  to  exist  in  the  model  for  all  the  ALGOL  constants.  An 
example  is  the  combinator  Assign  of  type  Loc^Valexp^Prog ,  for  interpreting  assign¬ 
ment.  whose  intended  meaning  is  the  function 


assign{l)(f){s)  = 


if  /  7^ -L,/(5)  7^ -1, 
T  otherwise. 


It  follows  from  the  definitions  that  assign  £  jy^oc-^Vaitxf^Prog  particular,  it  has  empty 
support — as  do  all  the  necessary  combinators.  So  we  can  define  |Assign]  =  assign  in  the 
model. 

The  combinator  which  causes  the  main  semantical  problem  is  New  of  type  {Loc— *  Prog)— *  Prog 
used  to  explain  the  semantics  of  block  structure  by  translation  into  A-calculus: 

Translation! begin  new  x;  Cmd  end)  ::=  (New  (Ax :  Toe.  Translation!  Cmd))). 

The  definition  of  |New|]  follows  [10];  we  omit  the  details  here.  This  completes  our  summary 
of  the  HMT  semantics. 

Proof  Sketch  for  full  abstraction  part  of  Theorem  3:  Adapt  the  ideas  of  [20]  to 
locally  continuous  models.  Every  element  of  a  local  epo  D1  (where  r  is  first-order)  is  the 
lulj  of  a  directed  set  of  finite  elements  in  Z?£,  and  these  finite  elements  are  definable  by 
closed  .ALGOL-like  terms.  Local  continuity  then  implies  that  two  semantically  different 
l)hra.ses  can  be  distinguished  by  choosing  definable  objects  for  their  free  procedures.  This 
means  that  they  can  be  distinguished  by  a  program  context.  □ 

.A  further  application  of  Theorem  6  leads  to  the  Invariant-Preserving  Model.  For  every 
L  C  Loc.  let  Pred{L)  he  the  set  of  predicates  on  stores  which  only  depend  on  L.  namely 

Pred{  L  )  =  {t:  :  Stores -^{  true,  false}  |  Vsi ,  S2  €  Stores,  sj  —iS2=>{n{.s^)  =  tt{s2  ))  }• 


DpHnition  8  Lri  I  —  Vfin{Loc)  and  K  —  Penn(Loc)U  {{L.U)  \  L  E  I  mid  11  C  Pn  JiZ)}. 
F'"-  II  t  A’,  h‘t  fi„  =  2  and  down{fu)  ^  {L  \  L  Q  Fix{fi)]  as  iv  thi  HMT  model  (Drf.  7;.  A<)r 
I  /..  11  '  A',  let  /?(/.,[!)  =  1  and  downiL.U)  =  {L'  \  LC]  L'  -  0).  The  Invariant-Pr<'s<’rviii<!; 

M:,  ihf  n  defined  by  the  .■^ame.  ground  tyge  Icpo  .•<  the  HMT  model.  relatioiinUy 

<  t  <  '  '  r  ,/  ii  7 

a.<  in  Def.  7,  for  all  gnmnd  tj/pe.i 

iff  I  E  L. 

iff'  Vs.  ^7r{siA/'(s)  ^  -(/(.<)).  I.C.,  (  et  ry  T  G  0  is  un  iin'aiiaiit  of  j . 

~  true.  for  the  other  ground,  typr.t  *, 

-A-f  ti-“t  a  model  of  rlie  simply  typed  A-calciilus.  in  which  all  Al.coL  constants  can  he 
u';'  >  !i  fheir  intended  interpretations  and  in  which  tupportid)  can  be  defined  as  the  smahc't 
-ft  L  such  that  d  €  Z)[.  It  has  the  additional  property  that  |[|(i7)  holds  whenever 
L  mppmt[d)  =  0.  A  particular  instance  of  this  property  is; 

Let  (j  l»e  of  type  Prog-^  Prog  !»nd  /  of  type  Prog.  If  t:  £  PredfiLoc  - 
^  ipporfig)]  is  an  invariant  of  /,  then  tt  is  also  an  invariant  of  g(f). 

I’:..-  :l;e  leasoning  principle  which  we  have  applied  to  Exainjile  5. 

\\.  .ii:Iy  half-full  abstr;tction  in  Theorem  5  hecau.se.  in  contrast  to  the  first-order 
■  i:  i.i;u;ige.  an  element  d  G  (where  r  is  a  I’ASC.VL  procedure  type)  is  not  necessarily 
'  i;  '  V,  an  lub  of  ilefinable  elem.ents  in  D}  I)tit  is  only  hounded  above  by  such  an  lub. 
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